633868 – (CVE-2017-14695, CVE-2017-14696) <app-admin/salt-{2016.3.8, 2016.11.8, 2017.7.2}: multiple vulnerabilities

Bug 633868 (CVE-2017-14695, CVE-2017-14696) - <app-admin/salt-{2016.3.8, 2016.11.8, 2017.7.2}: multiple vulnerabilities

Summary: <app-admin/salt-{2016.3.8, 2016.11.8, 2017.7.2}: multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	CVE-2017-14695, CVE-2017-14696

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal trivial
Assignee:	Gentoo Security

URL:	https://docs.saltstack.com/en/latest/...
Whiteboard:	~2 [noglsa cve]
Keywords:

Depends on:	CVE-2017-12791
Blocks:
	Show dependency tree

Reported:	2017-10-09 17:53 UTC by GLSAMaker/CVETool Bot
Modified:	2018-01-25 00:53 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description GLSAMaker/CVETool Bot gentoo-dev

2017-10-09 17:53:19 UTC

CVE-2017-14695 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14695):
  Directory traversal vulnerability in minion id validation in SaltStack.
  Allows remote minions with incorrect credentials to authenticate to a master
  via a crafted minion ID.

CVE-2017-14696 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-14696):
  Remote Denial of Service with a specially crafted authentication request.

Comment 1 Larry the Git Cow gentoo-dev

2017-10-12 01:56:24 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b197479f09b76b5949257698be5d61963c4bf19

commit 1b197479f09b76b5949257698be5d61963c4bf19
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2017-10-12 01:54:37 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2017-10-12 01:56:13 +0000

    app-admin/salt: Version bump to 2016.3.8
    
    Bug: https://bugs.gentoo.org/633868
    Package-Manager: Portage-2.3.11, Repoman-2.3.3

 app-admin/salt/Manifest             |   1 +
 app-admin/salt/salt-2016.3.8.ebuild | 147 ++++++++++++++++++++++++++++++++++++
 2 files changed, 148 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d3f64b31e3f0527ad788ec0dcab65c92178fbcea

commit d3f64b31e3f0527ad788ec0dcab65c92178fbcea
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2017-10-12 01:18:42 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2017-10-12 01:56:11 +0000

    app-admin/salt: Version bump to 2017.11.8
    
    Bug: https://bugs.gentoo.org/633868
    Package-Manager: Portage-2.3.11, Repoman-2.3.3

 app-admin/salt/Manifest              |   1 +
 app-admin/salt/salt-2016.11.8.ebuild | 146 +++++++++++++++++++++++++++++++++++
 2 files changed, 147 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d082e7a9c6c822343f67951dbbcb180714bc1699

commit d082e7a9c6c822343f67951dbbcb180714bc1699
Author:     Patrick McLean <chutzpah@gentoo.org>
AuthorDate: 2017-10-12 01:11:16 +0000
Commit:     Patrick McLean <chutzpah@gentoo.org>
CommitDate: 2017-10-12 01:56:10 +0000

    app-admin/salt: Version bump to 2017.7.2
    
    Bug: https://bugs.gentoo.org/633868
    
    Package-Manager: Portage-2.3.11, Repoman-2.3.3

 app-admin/salt/Manifest             |   1 +
 app-admin/salt/salt-2017.7.2.ebuild | 140 ++++++++++++++++++++++++++++++++++++
 2 files changed, 141 insertions(+)}

Comment 2 Aaron Bauman (RETIRED) gentoo-dev

2017-10-28 14:05:19 UTC

@maintainer, please cleanup.  This also depends on the other comments in bug #627928

Comment 3 Aaron Bauman (RETIRED) gentoo-dev

2018-01-25 00:53:39 UTC

Tree is clean.